Google vient de mettre en ligne Chrome 61, une nouvelle itération de son navigateur Internet. Disponible pour les environnements Windows, Linux et Mac, l’application s’accompagne de plusieurs corrections de sécurité.
Le navigateur Internet Chrome 61 est désormais proposé en téléchargement. Google annonce 22 corrections de sécurité. Parmi ces dernières, six sont considérées comme importantes.
En parallèle plusieurs améliorations sont de la partie en particulier autour de la vidéo. Le navigateur bascule désormais automatiquement en mode plein écran selon la rotation de l’appareil.
Google souligne que le mode Plein écran d’un site Web est automatiquement supprimé si une boite de dialogue JavaScript s’ouvre. Cette option vise à améliorer la sécurité en évitant un blocage complet du navigateur.
Chrome 61, plusieurs nouvelles API
l’API Device RAM est mise en place. Cette nouveauté s’adresse aux développeurs puisqu’elle permet d’informer un site Web sur la quantité de RAM disponible sur la machine. L’objectif est de rendre le service dynamique afin de l’adapter aux possibilités de l’appareil.
A cela s’ajoute une autre API, la WesUSB. Là encore il s’agit de permettre à un service Web d’accéder à une ressource du l’appareil, un périphérique USB. Naturellement ceci ne sera possible que si l’utilisateur a donné son autorisation.
Enfin l’API Payement Request proposée depuis plusieurs mois sur la version Android de Chrome est maintenant disponible sur la version PC. Les développeurs profitent également d’une prise en charge des modules JavaScipt en natif.
Enfin le moteur JavaScript V8 du navigateur passe en version 6.1 avec plusieurs améliorations afin de booster les performances.
Chrome 61 est proposé en version Windows, MacOS et Linux. A noter que si vous êtes sous la version précédente du navigateur son moteur de mise à jour devrait procéder automatique à l’installation.
Chrome 61, les détails
Security fixes
[$5000][
737023]
High CVE-2017-5111: Use after free in PDFium.
Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-06-27 [$5000][
740603]
High CVE-2017-5112: Heap buffer overflow in WebGL.
Reported by Tobias Klein (www.trapkit.de) on 2017-07-10 [$5000][
747043]
High CVE-2017-5113: Heap buffer overflow in Skia.
Reported by Anonymous on 2017-07-20 [$3500][
752829]
High CVE-2017-5114: Memory lifecycle issue in PDFium.
Reported by Ke Liu of Tencent’s Xuanwu LAB on 2017-08-07 [$3000][
744584]
High CVE-2017-5115: Type confusion in V8.
Reported by Marco Giovannini on 2017-07-17 [$TBD][
759624]
High CVE-2017-5116: Type confusion in V8.
Reported by Anonymous on 2017-08-28 [$1000][
739190]
Medium CVE-2017-5117: Use of uninitialized value in Skia.
Reported by Tobias Klein (www.trapkit.de) on 2017-07-04 [$1000][
747847]
Medium CVE-2017-5118: Bypass of Content Security Policy in Blink.
Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-07-24 [$N/A][
725127]
Medium CVE-2017-5119: Use of uninitialized value in Skia.
Reported by Anonymous on 2017-05-22 [$N/A][
718676]
Low CVE-2017-5120: Potential HTTPS downgrade during redirect navigation.
Reported by Xiaoyin Liu (@general_nfs) on 2017-05-05Other features & improvements
- The Network Information API is now available on desktop as well as Android, enabling sites to access the underlying connection information of a device.
- Developers can now specify scrolling smoothness via a new optional parameter in existing Scroll APIs or with the scroll-behavior CSS property.
- The CSSOM View Smooth Scroll API brings native smooth scrolling to the platform through a the scroll-behavior: smooth CSS property or by using the window.scrollTo() DOM scroll method, eliminating the need to implement this behavior with JavaScript
- CSS color values can now be 8- and 4-digit hex colors of the format #RRGGBBAA and #RGBA.
- Sites can now access the relative positions of the screen content with the Visual Viewport API, exposing complex functionality like pinch-and-zoom in a more direct way.
- The Device RAM API is now available, exposing the amount of RAM on a user’s device to sites to optimize overall performance of a web application.
- When navigating from an installed web app to a site outside the initial web app’s scope, the new site now automatically loads in a Custom Chrome Tab.
- For video using native controls, Chrome will now automatically expand video to fullscreen when a user rotates their device in an orientation that matches a video playing on the screen.
- nextHopProtocol is now available in Resource Timing and Navigation Timing, providing access to the network protocol used to fetch a resource.
- Sites can now require embedded third-party content to enforce a given Content Security Policy via the new csp attribute on iframe elements.
- The DOMTokenList interface now supports replace() to easily change all identical tokens to a new one, such as active to inactive on expiration.
- To access a list of attribute names of an element, getAttributeNames() is now supported and gives developers a more direct mechanism than going through the attributes collection.
- To increase security, sites will now automatically exit full screen if a JavaScript dialog opens.
- Sites can now access an estimate for the disk space used by a given origin and quota in bytes via the Storage API’s new navigator.storage.estimate() function.
- To improve the browser’s cache hit rate, URLSearchParams now supports sort() to list all stored name-value pairs.
- The URLSearchParams constructor has been updated to accept any object as a parameter instead of only other URLSearchParams instances.
- To prevent the use of mis-issued certificates from going unnoticed, sites can use the new Expect-CTHTTP header which will enable automated reporting and/or enforcement of Certificate Transparency requirements.
- Chrome will no longer decode frames for videos using Media Source in background tabs.
- “Non-Live” camera settings such as photo resolution, red eye reduction, and flash mode can now be retrieved with ImageCapture.getPhotoSettings().
- Sites can now use the Clear-Site-Data header to delete their own client-side data, such as cookies, service workers, storage, and cache entries.
Deprecations and interoperability improvements
- To increase security, resources with URLs containing both \n and < characters will now be blocked.
- To increase security, support for the Presentation API’s start function has been deprecated and removed for insecure contexts.
- To align with the spec and preserve browser consistency, the scrollingElement is now thedocumentElement in standards mode.
- To increase consistency across on attributes, onwheel attributes have been moved from Element to Window, Document, HTMLElement, and SVGElement.
- To better follow spec and provide more granular control over the flow of referred content, Chrome now supports three new Referrer Policy values, same-origin, strict-origin, and strict-origin-when-cross-origin.
Following the change in spec, the maximum value for colSpan has been decreased from 8190 to